FreeBSD -- named(8) DNSSEC validation Denial of Service

Details

VuXML ID

0f020b7b-e033-11e1-90a2-000c299b62e1

Discovery

2012-07-24

Entry

2012-08-07

Problem description:

BIND 9 stores a cache of query names that are known to be failing
due to misconfigured name servers or a broken chain of trust.
Under high query loads, when DNSSEC validation is active, it is
possible for a condition to arise in which data from this cache of
failing queries could be used before it was fully initialized,
triggering an assertion failure.